marcoallegretti/karapace
1
0
Fork 0
mirror of https://github.com/marcoallegretti/karapace.git synced 2026-03-26 21:43:09 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: supply chain credential test false positive, verify-docs SIGPIPE

Browse source 
- Credential injection test: search for actual fake credential values
  instead of env var name patterns (AWS_SECRET_ACCESS_KEY is
  intentionally in security.rs denied_env_vars list)
- Verify-docs: add || true after head -50 pipe to prevent SIGPIPE
  exit code with pipefail enabled
This commit is contained in:
Marco Allegretti 2026-02-22 21:08:10 +01:00
parent 736f6ce7f1
commit a05bb30e9c
1 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
.github/workflows/supply-chain-test.yml vendored
View file

@ -700,7 +700,9 @@ jobs:
- name: "Test: No credential strings in binary"
run: |
set -euo pipefail
for TERM in "sk-FAKE" "SUPER-SECRET" "ghp_FAKE" "GITHUB_TOKEN" "wJalrXUtnFEMI" "AWS_SECRET" "cio_FAKE"; do
# Search for actual fake credential values, not env var names.
# AWS_SECRET_ACCESS_KEY appears intentionally in security.rs denied_env_vars.
for TERM in "sk-FAKE-SUPER-SECRET" "ghp_FAKE_GITHUB_TOKEN" "wJalrXUtnFEMI/K7MDENG" "cio_FAKE_REGISTRY"; do
if strings target/release/karapace | grep -qi "$TERM"; then
echo "FATAL: $TERM leaked into binary"
exit 1
@ -797,7 +799,7 @@ jobs:
echo "karapace-dbus: VERIFIED"
echo "=== Step 3: Inspect SBOM ==="
python3 -m json.tool karapace_bom.json | head -50
python3 -m json.tool karapace_bom.json | head -50 || true
echo "SBOM is valid JSON"
echo "=== ALL verification.md commands executed successfully ==="